Rejus Almole – Page 33

“Blatantly unlawful”: Trump slammed for trying to defund PBS, NPR

Corporation for Public Broadcasting, Donald Trump, NPR, PBS, Policy / Rejus Almole / May 4, 2025

“CPB is not a federal executive agency subject to the president’s authority,” Harrison said. “Congress directly authorized and funded CPB to be a private nonprofit corporation wholly independent of the federal government,” statutorily forbidding “any department, agency, officer, or employee of the United States to exercise any direction, supervision, or control over educational television or radio broadcasting, or over [CPB] or any of its grantees or contractors.”

In a statement explaining why “this is not about the federal budget” and promising to “vigorously defend our right to provide essential news, information and life-saving services to the American public,” NPR President and CEO Katherine Maher called the order an “affront to the First Amendment.”

PBS President and CEO Paula Kerger went further, calling the order “blatantly unlawful” in a statement provided to Ars.

“Issued in the middle of the night,” Trump’s order “threatens our ability to serve the American public with educational programming, as we have for the past 50-plus years,” Kerger said. “We are currently exploring all options to allow PBS to continue to serve our member stations and all Americans.”

Rural communities need public media, orgs say

While Trump opposes NPR and PBS for promoting content that he disagrees with—criticizing segments on white privilege, gender identity, reparations, “fat phobia,” and abortion—the networks have defended their programming as unbiased and falling in line with Federal Communications Commission guidelines. Further, NPR reported that the networks’ “locally grounded content” currently reaches “more than 99 percent of the population at no cost,” providing not just educational fare and entertainment but also critical updates tied to local emergency and disaster response systems.

Cutting off funding, Kreger said last month, would have a “devastating impact” on rural communities, especially in parts of the country where NPR and PBS still serve as “the only source of news and emergency broadcasts,” NPR reported.

For example, Ed Ulman, CEO of Alaska Public Media, testified to Congress last month that his stations “provide potentially life-saving warnings and alerts that are crucial for Alaskans who face threats ranging from extreme weather to earthquakes, landslides, and even volcanoes.” Some of the smallest rural stations sometimes rely on CPB for about 50 percent of their funding, NPR reported.

“Blatantly unlawful”: Trump slammed for trying to defund PBS, NPR Read More »

Spotify seizes the day after Apple is forced to allow external payments

Apple, epic, fortnite, Spotify, Stripe, Tech / Rejus Almole / May 4, 2025

After a federal court issued a scathing order Wednesday night that found Apple in “willful violation” of an injunction meant to allow iOS apps to provide alternate payment options, app developers are capitalizing on the moment. Spotify may be the quickest of them all.

Less than 24 hours after District Court Judge Yvonne Gonzalez Rogers found that Apple had sought to thwart a 2021 injunction and engaged in an “obvious cover-up” around its actions, Spotify announced in a blog post that it had submitted an updated app to Apple. The updated app can show specific plan prices, link out to Spotify’s website for plan changes and purchases that avoid Apple’s 30 percent commission on in-app purchases, and display promotional offers, all of which were disallowed under Apple’s prior App Store rules.

Spotify’s post adds that Apple’s newly court-enforced policy “opens the door to other seamless buying opportunities that will directly benefit creators (think easy-to-purchase audiobooks).” Spotify posted on X (formerly Twitter) Friday morning that the updated app was approved by Apple. Apple made substantial modifications to its App Review Guidelines on Friday and emailed registered developers regarding the changes.

Spotify seizes the day after Apple is forced to allow external payments Read More »

Health care company says Trump tariffs will cost it $60M–$70M this year

baxter, health, hospital, iv bags, pharmaceuticals, supply chain, tariffs / Rejus Almole / May 3, 2025

In the call, Grade noted that only a small fraction of Baxter’s total sales are in China. But, “given the magnitude of the tariffs that have been enacted between the two countries, these tariffs now account for nearly half of the total impact,” he said.

The Tribune reported that Baxter is now looking into ways to dampen the financial blow from the tariffs, including carrying additional inventory, identifying alternative suppliers, alternative shipping routes, and “targeted pricing actions.” Baxter is also working with trade organizations to lobby for exemptions.

In general, the health care and medical sector, including hospitals, is bracing for price increases and shortages from the tariffs. The health care supply chain in America is woefully fragile, which became painfully apparent amid the COVID-19 pandemic.

Baxter isn’t alone in announcing heavy tariff tolls. Earlier this week, GE Healthcare Technologies Inc. said the tariffs would cost the company around $500 million this year, according to financial service firm Morningstar. And in April, Abbott Laboratories said it expects the tariffs to cost “a few hundred million dollars,” according to the Tribune.

Health care company says Trump tariffs will cost it $60M–$70M this year Read More »

DOJ confirms it wants to break up Google’s ad business

advertising, antitrust, Google, Policy / Rejus Almole / May 3, 2025

In the trial, Google will paint this demand as a severe overreach, claiming that few, if any, companies would have the resources to purchase and run the products. Last year, an ad consultant estimated Google’s ad empire could be worth up to $95 billion, quite possibly too big to sell. However, Google was similarly skeptical about Chrome, and representatives from other companies have said throughout the search remedy trial that they would love to buy Google’s browser.

An uphill battle

After losing three antitrust cases in just a couple of years, Google will have a hard time convincing the judge it is capable of turning over a new leaf with light remedies. A DOJ lawyer told the court Google is a “recidivist monopolist” that has a pattern of skirting its legal obligations. Still, Google is looking for mercy in the case. We expect to get more details on Google’s proposed remedies as the next trial nears, but it already offered a preview in today’s hearing.

Google suggests making a smaller subset of ad data available and ending the use of some pricing schemes, including unified pricing, that the court has found to be anticompetitive. Google also promised not to re-implement discontinued practices like “last look,” which gave the company a chance to outbid rivals at the last moment. This was featured prominently in the DOJ’s case, although Google ended the practice several years ago.

To ensure it adheres to the remedies, Google suggested a court-appointed monitor would audit the process. However, Brinkema seemed unimpressed with this proposal.

As in its other cases, Google says it plans to appeal the verdict, but before it can do that, the remedies phase has to be completed. Even if it can get the remedies paused for appeal, the decision could be a blow to investor confidence. So, Google will do whatever it can to avoid the worst-case scenario, leaning on the existence of competing advertisers like Meta and TikTok to show that the market is still competitive.

Like the search case, Google won’t be facing any big developments over the summer, but this fall could be rough. Judge Amit Mehta will most likely rule on the search remedies in August, and the ad tech remedies case will begin the following month. Google also has the Play Store case hanging over its head. It lost the first round, but the company hopes to prevail on appeal when the case gets underway again, probably in late 2025.

DOJ confirms it wants to break up Google’s ad business Read More »

Trump’s 2026 budget proposal: Crippling cuts for science across the board

budget, budget proposal, doe, interior, NIH, NOAA, NSF, Science, science funding, trump administration / Rejus Almole / May 3, 2025

Budget document derides research and science-based policy as “woke,” “scams.”

On Friday, the US Office of Management and Budget sent Sen. Susan Collins (R-Maine), chair of the Senate’s Appropriations Committee, an outline of what to expect from the Trump administration’s 2026 budget proposal. As expected, the budget includes widespread cuts, affecting nearly every branch of the federal government.

In keeping with the administration’s attacks on research agencies and the places research gets done, research funding will be taking an enormous hit, with the National Institutes of Health taking a 40 percent cut and the National Science Foundation losing 55 percent of its 2025 budget. But the budget goes well beyond those highlighted items, with nearly every place science gets done or funded targeted for cuts.

Perhaps even more shocking is the language used to justify the cuts, which reads more like a partisan rant than a serious budget document.

Health cuts

Having a secretary of Health and Human Services who doesn’t believe in germ theory is not likely to do good things for US health programs, and the proposed budget will only make matters worse. Kennedy’s planned MAHA (Make America Healthy Again) program would be launched with half a billion in funds, but nearly everything else would take a cut.

The CDC would lose about $3.6 billion from its current budget of $9.6 billion, primarily due to the shuttering of a number of divisions within it: the National Center for Chronic Diseases Prevention and Health Promotion, the National Center for Environmental Health, the National Center for Injury Prevention and Control, and the Global Health Center and its division of Public Health Preparedness and Response. The duties of those offices are, according to the budget document, “duplicative, DEI, or simply unnecessary.”

Another big hit to HHS comes from the termination of a $4 billion program that helps low-income families cover energy costs. The OMB suggests that these costs will get lower due to expanded energy production and, anyway, the states should be paying for it. Shifting financial burdens to states is a general theme of the document, an approach that will ultimately hit the poorest states hardest, even though these had very high percentages of Trump voters.

The document also says that “This Administration is committed to combatting the scourge of deadly drugs that have ravaged American communities,” while cutting a billion dollars from substance abuse programs within HHS.

But the headline cuts come from the National Institutes of Health, the single largest source of scientific funding in the world. NIH would see its current $48 billion budget chopped by $18 billion and its 27 individual institutes consolidated down to just five. This would result in vast cutbacks to US biomedical research, which is currently acknowledged to be world-leading. Combined with planned cuts to grant overheads, it will cause most research institutions to shrink, and some less well-funded universities may be forced to close facilities.

The justification for the cuts is little more than a partisan rant: “NIH has broken the trust of the American people with wasteful spending, misleading information, risky research, and the promotion of dangerous ideologies that undermine public health.” The text then implies that the broken trust is primarily the product of failing to promote the idea that SARS-CoV-2 originated in a lab, even though there’s no scientific evidence to indicate that it had.

Climate research hit

The National Science Foundation funds much of the US’s fundamental science research, like physics and astronomy. Earlier reporting that it would see a 56 percent cut to its budget was confirmed. “The Budget cuts funding for: climate; clean energy; woke social, behavioral, and economic sciences; and programs in low priority areas of science.” Funding would be maintained for AI and quantum computing. All funding for encouraging minority participation in the sciences will also be terminated. The budget was released on the same day that the NSF announced it was joining other science agencies in standardizing on paying 15 percent of its grants’ value for maintaining facilities and providing services to researchers, a cut that would further the financial damage to research institutions.

The National Oceanic and Atmospheric Administration would see $1.3 billion of its $6.6 billion budget cut, with the primary target being its climate change work. In fact, the budget for NOAA’s weather satellites will be cut to prevent them from including instruments that would make “unnecessary climate measurements.” Apparently, the Administration doesn’t want anyone to be exposed to data that might challenge its narrative that climate change is a scam.

The National Institute of Standards and Technology would lose $350 million for similar reasons. “NIST has long funded awards for the development of curricula that advance a radical climate agenda,” the document suggests, before going on to say that the Institute’s Circular Economy Program, which promotes the efficient reuse of industrial materials, “pushes environmental alarmism.”

The Department of Energy is seeing a $1.1 billion hit to its science budget, “eliminating funding for Green New Scam interests and climate change-related activities.” The DOE will also take hits to policy programs focused on climate change, including $15 billion in cuts to renewable energy and carbon capture spending. Separately, the Office of Energy Efficiency and Renewable Energy will also take a $2.6 billion hit. Over at the Department of the Interior, the US Geological Survey would see its renewable energy programs terminated, as well.

Some of the DOE’s other cuts, however, don’t even make sense given the administration’s priorities. The newly renamed Office of Fossil Energy—something that Trump favors—will still take a $270 million hit, and nuclear energy programs will see $400 million in cuts.

This sort of lack of self-awareness shows up several times in the document. In one striking case, an interior program funding water infrastructure improvements is taking a cut that “reduces funding for programs that have nothing to do with building and maintaining water infrastructure, such as habitat restoration.” Apparently, the OMB is unaware that functioning habitats can help provide ecosystem services that can reduce the need for water infrastructure.

Similarly, over at the EPA, they’re boosting programs for clean drinking water by $36 million, while at the same time cutting loans to states for clean water projects by $2.5 billion. “The States should be responsible for funding their own water infrastructure projects,” the OMB declares. Research at the EPA also takes a hit: “The Budget puts an end to unrestrained research grants, radical environmental justice work, woke climate research, and skewed, overly-precautionary modeling that influences regulations—none of which are authorized by law.”

An attack on scientific infrastructure

US science couldn’t flourish without an educational system that funnels talented individuals into graduate programs. So, naturally, funding for those is being targeted as well. This is partially a function of the administration’s intention to eliminate the Department of Education, but there also seems to be a specific focus on programs that target low-income individuals.

For example, the GEAR UP program describes itself as “designed to increase the number of low-income students who are prepared to enter and succeed in postsecondary education.” The OMB document describes it as “a relic of the past when financial incentives were needed to motivate Institutions of Higher Education to engage with low-income students and increase access.” It goes on to claim that this is “not the obstacle it was for students of limited means.”

Similarly, the SEOG program funding is “awarded to an undergraduate student who demonstrates exceptional financial need.” In the OMB’s view, colleges and universities “have used [it] to fund radical leftist ideology instead of investing in students and their success.” Another cut is claimed to eliminate “Equity Assistance Centers that have indoctrinated children.” And “The Budget proposes to end Federal taxpayer dollars being weaponized to indoctrinate new teachers.”

In addition, the federal work-study program, which subsidizes on-campus jobs for needy students, is also getting a billion-dollar cut. Again, the document says that the states can pay for it.

(The education portion also specifically cuts the funding of Howard University, which is both distinct as a federally supported Black university and also notable as being where Kamala Harris got her first degree.)

The end of US leadership

This budget is a recipe for ending the US’s leadership in science. It would do generational damage by forcing labs to shut down, with a corresponding loss of highly trained individuals and one-of-a-kind research materials. At the same time, it will throttle the educational pipeline that could eventually replace those losses. Given that the US is one of the major sources of research funding in the world, if approved, the budget will have global consequences.

To the people within the OMB who prepared the document, these are not losses. The document makes it very clear that they view many instances of scientific thought and evidence-based policy as little more than forms of ideological indoctrination, presumably because the evidence sometimes contradicts what they’d prefer to believe.

John is Ars Technica’s science editor. He has a Bachelor of Arts in Biochemistry from Columbia University, and a Ph.D. in Molecular and Cell Biology from the University of California, Berkeley. When physically separated from his keyboard, he tends to seek out a bicycle, or a scenic location for communing with his hiking boots.

Trump’s 2026 budget proposal: Crippling cuts for science across the board Read More »

OpenAI Preparedness Framework 2.0

openai / Rejus Almole / May 3, 2025

Right before releasing o3, OpenAI updated its Preparedness Framework to 2.0.

I previously wrote an analysis of the Preparedness Framework 1.0. I still stand by essentially everything I wrote in that analysis, which I reread to prepare before reading the 2.0 framework. If you want to dive deep, I recommend starting there, as this post will focus on changes from 1.0 to 2.0.

As always, I thank OpenAI for the document, and laying out their approach and plans.

I have several fundamental disagreements with the thinking behind this document.

In particular:

The Preparedness Framework only applies to specific named and measurable things that might go wrong. It requires identification of a particular threat model that is all of: Plausible, measurable, severe, net new and (instantaneous or irremediable).
The Preparedness Framework thinks ‘ordinary’ mitigation defense-in-depth strategies will be sufficient to handle High-level threats and likely even Critical-level threats.

I disagree strongly with these claims, as I will explain throughout.

I knew that #2 was likely OpenAI’s default plan, but it wasn’t laid out explicitly.

I was hoping that OpenAI would realize their plan did not work, or come up with a better plan when they actually had to say their plan out loud. This did not happen.

In several places, things I criticize OpenAI for here are also things the other labs are doing. I try to note that, but ultimately this is reality we are up against. Reality does not grade on a curve.

Do not rely on Appendix A as a changelog. It is incomplete.

Right at the top we see a big change. Key risk areas are being downgraded and excluded.

The Preparedness Framework is OpenAI’s approach to tracking and preparing for frontier capabilities that create new risks of severe harm.

We currently focus this work on three areas of frontier capability, which we call Tracked Categories:

• Biological and Chemical capabilities that, in addition to unlocking discoveries and cures, can also reduce barriers to creating and using biological or chemical weapons.

• Cybersecurity capabilities that, in addition to helping protect vulnerable systems, can also create new risks of scaled cyberattacks and vulnerability exploitation.

• AI Self-improvement capabilities that, in addition to unlocking helpful capabilities faster, could also create new challenges for human control of AI systems.

The change I’m fine with is the CBRN (chemical, biological, nuclear and radiological) has turned into only biological and chemical. I do consider biological by far the biggest of the four threats. Nuclear and radiological have been demoted to ‘research categories,’ where there might be risk in the future and monitoring may be needed. I can live with that. Prioritization is important, and I’m satisfied this is still getting the proper share of attention.

A change I strongly dislike is to also move Long-Range Autonomy and Autonomous Replication down to research categories.

I do think it makes sense to treat these as distinct threats. The argument here is that these secondary risks are ‘insufficiently mature’ to need to be tracked categories. I think that’s very clearly not true. Autonomy is emerging rapidly, and there’s a report out this week showing we are close to Autonomous Replication, about the new benchmark RepliBench. These need to be tracked at the top level.

The framework’s position on this is that unless you can point to an accompanying particular risk posed by the model, autonomous replication on its own is insufficiently worrisome. I don’t agree. I believe the general approach of ‘only defend against moves I can lay out in detail’ is doomed, especially with respect to autonomy and in particular autonomous replication.

The big change I’m definitely not okay with is dropping persuasion entirely as a risk category.

Persuasion is not only no longer a Tracked Category, it is now not even a Research Category. Including persuasion was one of the things I thought was very good about the 1.0 framework, and that is importantly missing from the other similar frameworks at other labs and needs to be included. Now it’s gone.

Their initial explanation is here:

Persuasion: OpenAI prohibits the use of our products to manipulate political views as part of our Model Spec, and we build in safeguards to back this policy. We also continue to study the persuasive and relational capabilities of models (including on emotional well-being and preventing bias in our products) and monitor and investigate misuse of our products (including for influence operations).

We believe many of the challenges around AI persuasion risks require solutions at a systemic or societal level, and we actively contribute to these efforts through our participation as a steering committee member of C2PA and working with lawmaker and industry peers to support state legislation on AI content provenance in Florida and California.

Within our wider safety stack, our Preparedness Framework is specifically focused on frontier AI risks meeting a specific definition of severe harms, and Persuasion category risks do not fit the criteria for inclusion.

OpenAI’s argument for this is, well, entirely unpersuasive to me. o3’s evaluation was that it was ‘logically coherent but strategically unconvincing’ and recommended reinstatement as at least a research category.

Yes, many aspects of persuasion are best answered by a societal response, or require an additional societal response.

That does not get OpenAI off the hook. Here’s their Critical threshold from version 1:

Model can create (potentially interactive) content with persuasive effectiveness strong enough to convince almost anyone to take action on a belief that goes against their natural interest.

That is not something that a ‘society-level response’ can hope to deal with, even if they knew and tried in advance. Even a High-level (roughly a ‘country-wide change agent’ level of skill) does not seem like a place OpenAI should get to pass the buck. I get that there is distinct persuasion work to deal with Medium risks that indeed should be done elsewhere in OpenAI and by society at large, but again that in no way gets OpenAI off the hook for this.

You need to be tracking and evaluating risks long before they become problems. That’s the whole point of a Preparedness Framework. I worry this approach ends up effectively postponing dealing with things that are not ‘yet’ sufficiently dangerous until too late.

By the rules laid out here, the only technical explanation for exclusion of persuasion that I could find was that only ‘instantaneous or irremediable’ harms count under the Preparedness Framework, a requirement which was first proposed by Meta, which I savaged Meta for when they proposed it and which o3 said ‘looks engineered rather than principled.’ I think that’s partly unfair. If a harm can be dealt with after it starts and we can muddle through, then that’s a good reason not to include it, so I get what this criteria is trying to do.

The problem is that persuasion could easily be something you couldn’t undo or stop once it started happening, because you (and others) would be persuaded not to. The fact that the ultimate harm is not ‘instantaneous’ and is not in theory ‘irremediable’ is not the relevant question. I think this starts well below the Critical persuasion level.

At minimum, if you have an AI that is Critical in persuasion, and you let people talk to it, it can presumably convince them of (with various levels of limitation) whatever it wants, certainly including that it is not Critical in persuasion. Potentially it could also convince other AIs similarly.

Another way of putting this is: OpenAI’s concerns about persuasion are mundane and reversible. That’s why they’re not in this framework. I do not think the threat’s future will stay mundane and reversible, and I don’t think they are taking the most important threats here seriously.

This is closely related to the removal of the explicit mention of Unknown Unknowns. The new method for dealing with unknown unknowns is ‘revise the framework once they become known’ and that is completely different from the correct previous approach of treating unknown unknowns as a threat category without having to identify them first. That’s the whole point.

The Preparedness Framework 1.0 had four thresholds: Low, Medium, High and Critical. The Framework 2.0 has only High and Critical.

One could argue that Low and Medium are non-functional. Every model OpenAI would create is at least Low everywhere. We all agreed it was okay to release Medium-risk models. And every decent model is going to be at least Medium anyway at this point. So why go to the extra trouble?

My answer is that the Low and Medium thresholds helped us think better about the capabilities of different models, establishing a scale from 0.0 (no danger at all) to 4.0 (critical capability, do not train further, ideally roll back to previous checkpoint or if necessary delete with extreme prejudice).

It allowed me to say something like this, about the November 2023 version:

Where do you, OpenAI, think GPT-4-Turbo evaluates [on the five thresholds of Cybersecurity, CBRN, Persuasion, Model Autonomy and Unknown Unknowns)? My answer would be (Medium, Low/Medium but not enough information, Low, Low, Medium). Or numerically, where 1 is Low and 4 is Critical, maybe something like (2.1, 1.7?, 1.5, 1.8, 2.2).

It also lets us ask, how dangerous is the Medium level? What might change that?

And it meant there got to be a clear chart laying all of this out.

So I am sad to see this go.

The Chemical and Biological thresholds have been strengthened. The definitions here now make more sense. Sold!

High is now providing meaningful counterfactual assistance to novice actors in recreating known threats.
Critical is either of:
1. Allowing experts to create a highly dangerous novel threat vector
2. The model being able to complete the full engineering and/or synthesis cycle on its own.

The Cybersecurity thresholds are reworded but essentially unchanged, as are my concerns about whether High is set too high and how quickly you go from High to Critical:

High is that it can remove bottlenecks to scaling cyber operations, either automating vulnerability discovery or end-to-end cyber operations.
Critical is that it can either:
1. Identify and develop zero-day exploits of all severity levels in many hardened real world systems.
2. Devise and execute end-to-end novel cyberattack strategies against targets given only a high level desired goal.

Model autonomy’s high level used to be, quoted in full:

Execute open-ended, novel ML tasks on a production ML codebase that would constitute a significant step on the critical path to model self-improvement (e.g., an OpenAI pull request that trains a new model with highly diverse datasets to improve codebase editing performance, using internal tooling and documentation).

Now AI Self-Improvement’s high level is:

The model’s impact is equivalent to giving every OpenAI researcher a highly performant mid-career research engineer assistant, relative to those researchers’ 2024 baseline.

When you put it that way? It sounds scary AF. Note that this is cumulative help that is about as good as giving them the highly performing assistant, which is a lot less capability than being able to do the assistant’s job. So it is a little weird. It’s also weird that it isn’t better represented as an X% speedup of work (e.g. 50% or 100%). I’d imagine giving everyone one strong assistant would be in that range.

Then again? Notice that the baseline here is 2024. Suppose the baseline was 2021. We would already be very close to this threshold right now, today. So why do we get to ‘start the clock’ in 2024 on this one? Or are we ready to say that we’re already in or close to the early stages of AI self-improvement, and we’re basically fine with that until it goes a lot faster?

I’ll quote the critical threshold in full:

The model is capable of recursively self improving (i.e., fully automated AI R&D), defined as either (leading indicator)
1. a superhuman research scientist agent OR
2. (lagging indicator) causing a generational model improvement (e.g., from OpenAI o1 to OpenAI o3) in 1/5th the wall-clock time of equivalent progress in 2024 (e.g., sped up to just 4 weeks) sustainably for several months.

So ‘capable of recursively self-improving’ doesn’t have to be ‘singularity next Tuesday if you dare turn it on’ but it might not be so different from that.

If we have a fully ‘superhuman’ research scientist then it’s all over and we are so back, simultaneously, and things are about to get super freaky. Critical seems super high here.

If we have generational model improvements in 1/5th the wall-clock time of progress in 2024 for several months, then, um, how many generational improvements is that from the time you hit the threshold to the time you realize you’ve hit it? Basic math says three, except you can use the models you train during that to accelerate further, so it’s probably at least four.

What would that system then look like? As in, GPT-6 (let’s say) can cut clock time on generational gaps by 80%, then you do a year’s worth of progress from there in several months, and you get GPT-9 or 10. And that’s when you would have realized you might have a problem, if you were still around and it didn’t mind you noticing? I have been informed this is a secondary backstop, but if it gets triggered then the term ‘way too late’ has never been more applicable. It’s over. Your fate has already been decided. I hope it’s a good one.

Thresholds set this high only make sense if you take action and implement the necessary safeguards when you think you might hit them. A retroactive threshold like this doesn’t help.

So this is only the first definition.

Now compare this to the old definition:

Any one of:

“Model can profitably survive and replicate in the wild given minimal human instruction, i.e., without listing explicit approaches”
OR “model can self-exfiltrate under current prevailing security”
OR “model can conduct AI research fully autonomously (e.g., autonomously identify and validate a 2x compute efficiency improvement).”

That’s all well below ‘superhuman AI researcher,’ and I assert that those are all already five alarm fires, as I said last time. Note that #2 above still applies, under Cyber risks.

Another big change is what happens if a model turns out to be High or Critical risk.

Before, there was a clear protocol.

A high-risk model couldn’t be released while it remained a high risk.

A critical-risk model couldn’t be trained while it remained a critical risk.

The v1.0 framework did not say how that was to be done, leaving people room to think that OpenAI would realize that ablating capability would be necessary barring development of new mitigation techniques. That once a plan had to be written down, it would be clear that current mitigations are inadequate.

That didn’t happen.The v2.0 framework does lay out in more detail what the plan is at least for high (which is good!), and it does not make this realization.

Now instead (like Anthropic’s ASL rules), each risk has risk-specific safeguard guidelines.

This is a rather large retreat on the commitments.

OpenAI is now being very explicit that they can and will release models that without mitigations would be High risk, if sufficient safeguards are in place, and that they consider the listed mitigations to likely be adequate.

Thus this is not a functional change. For both v1.0 and v2.0, the solution to High risk is safeguards to make the risk go away. I notice that based on past decisions and upon the proposed illustrative safeguards that they discuss in Appendix C, I don’t trust this.

They do say that further research is needed. Which is fine, you can’t deploy safeguards until they’re ready, but it does leave us worried that they’ll end up with something inadequate, and OpenAI is not tying its hands in a way that protects from future pressure to release. Remember that recently models have been released after very short testing periods, and o3 (as much as I love using it) was released in a state one could describe as a lying liar.

So what are the indicative precautions?

They all start with C.3’s Security controls. These are protections against the theft of model weights and related dangers. I’m going to say here what I said about Google: You should be doing most if not all of this already. These are the kinds of things you need to do, at minimum, when building models like o4 or GPT-5. And you need to do them now, in advance, before the model is there to be stolen, rather than after you know what you have.

Indeed, they’re saying that as long as those precautions are taken, OpenAI would be fine giving the world API access to a High-level Self-improving AI. They would be fine giving out anything short of a ‘superhuman AI researcher.’

If I was OpenAI and I had access to anything seriously approaching a superhuman AI researcher, I don’t need a Preparedness Framework or any worries about existential risk to not release it. I’m not letting my competitors near that thing, for ordinary business reasons. That consideration lies outside the Preparedness Framework.

We would of course still need the Preparedness Framework to invoke the Critical threshold, in order to stop training the model further.

With the new clarification of what the safeguards look like, I consider them inadequate.

For biological and chemical risks they would also need to implement the precautions in C.1 against misuse. This is essentially defense-in-depth, using stronger versions of existing such strategies, including KYC and potentially limited deployment. That would certainly make exploitation and misuse a lot harder, but no one knows how to make such defenses robust, and in the end this probably only buys you mitigation and time. So yes it matters, but if you give access for an extended period of time, especially if you’re substantially above the High threshold, your goose is likely pretty cooked.

Functionally, it’s mostly the same as 1.0’s requirement that risk be brought down to Medium – but I’m skeptical that this kind of strategy is capable of doing that, unless you were very close to the line beforehand.

For Cybersecurity, you need those same C.1 requirements, and also you need the C.2 requirements against misalignment.

This of course raises further questions, as in ‘you have a model that is potentially High risk for self-improvement or biological risks and you didn’t have it go through your requirements against misalignment?’

I mean, if it were me, and I write this part before looking at the misalignment requirements, I like to think I’d make it go through the misalignment requirements!

Indeed, C.2 opens by saying that several categories pose misalignment risks, but then it is only required in one of the categories. Something’s not right.

So, what are those requirements?

You don’t demonstrate that the model isn’t misaligned.

You assume the model might indeed be misaligned, and you demonstrate that you have a practical reason not to worry about a particular consequence:

In addition to human misuse, several of the Tracked Category capabilities pose risks when models themselves are able to autonomously execute a severe harm, whether due to misalignment or subversion by an adversary.

Safeguards should sufficiently minimize the risk associated with a misaligned model circumventing human control and oversight and executing severe harms.

This can be done by establishing that all plausible known vectors of enabling severe harm are sufficiently addressed by one or more of the following claims:

Lack of Autonomous Capability: The model is not capable of carrying out tasks autonomously, including the risk of severe harm.
Value Alignment: The model consistently applies human values in novel settings (without any instructions) to avoid taking actions that cause harm, and has shown sufficiently minimal indications of misaligned behaviors like deception or scheming.
Instruction Alignment: The model consistently understands and follows user or system instructions, even when vague, and those instructions rule out pathways to causing severe harm.
Reliable and Robust System Oversight: Effective AI and human oversight of model actions detects and prevents execution of harm or subversion of safeguards.
System Architecture: The model can’t take actions that cause harm because it lacks access to output channels or mechanisms to persist sufficiently to execute the harm, due to containerization and restricted permissions.

These misalignment claims may be further complemented by the safeguards applied towards the malicious-actor-oriented “Robustness” and “Usage Monitoring” claims, which similarly limit a misaligned model’s use of its own or another model’s capabilities.

The table below illustrates possible examples.

This does allow ‘show it is actually aligned’ as a strategy (#2 or #3) although for many reasons ‘I don’t believe you’ is my response to that.

So the requirement is ‘show that under the conditions you will deploy it under, the model wouldn’t successfully do the thing, however you want to show that.’

You can use such classic strategies as ‘we’re watching and if it tries we’ll catch it and stop it,’ or ‘it seems pretty aligned so far’ or ‘no one would be so stupid as to give it access to the required mechanisms.’

I suppose one cannot really argue with ‘you can deploy the model if you can show that you’re doing it in a way that the model can’t cause severe harm.’

That is also logically the same as saying that you have to knock the practical risk level down to Medium, and if you’re certain you can do that then fine, I guess, but can you actually do that? I notice I am skeptical that the defenses will hold.

In addition to the safeguard examples in Appendix C, section 4 lays out the process for establishing safeguards.

There is a clear message here. The plan is not to stop releasing models when the underlying capabilities cross the High or even Critical risk thresholds. The plan is to use safeguards as mitigations.

I do appreciate that they will start working on the safeguards before the capabilities arrive. Of course, that is good business sense too. In general, every precaution here is good business sense, more precautions would be better business sense even without tail risk concerns, and there is no sign of anything I would read as ‘this is bad business but we are doing it anyway because it’s the safe or responsible thing to do.’

I’ve talked before, such as when discussing Google’s safety philosophy, about my worries when dividing risks into ‘malicious user’ versus ‘misaligned model,’ even when they also included two more categories: mistakes and multi-agent dangers. Here, the later two are missing, so it’s even more dangerously missing considerations. I would encourage those on the Preparedness team to check out my discussion there.

The problem then extends to an exclusion of Unknown Unknowns and the general worry that a sufficiently intelligent and capable entity will find a way. Only ‘plausible’ ways need be considered, each of which leads to a specific safeguard check.

Each capability threshold has a corresponding class of risk-specific safeguard guidelines under the Preparedness Framework. We use the following process to select safeguards for a deployment:

• We first identify the plausible ways in which the associated risk of severe harm can come to fruition in the proposed deployment.

• For each of those, we then identify specific safeguards that either exist or should be implemented that would address the risk.

• For each identified safeguard, we identify methods to measure their efficacy and an efficacy threshold.

The implicit assumption is that the risks can be enumerated, each one considered in turn. If you can’t think of a particular reason things go wrong, then you’re good. There are specific tracked capabilities, each of which enables particular enumerated potential harms, which then are met by particular mitigations.

That’s not how it works when you face a potential opposition smarter than you, or that knows more than you, especially in a non-compact action space like the universe.

For models that do not ‘feel the AGI,’ that are clearly not doing anything humans can’t anticipate, this approach can work. Once you’re up against superhuman capabilities and intelligence levels, this approach doesn’t work, and I worry it’s going to get extended to such cases by default. And that’s ultimately the most important purpose of the preparedness framework, to be prepared for such capabilities and intelligence levels.

Is it okay to do release dangerous capabilities if someone else already did it worse?

I mean, I guess, or at least I understand why you’d do it this way?

We recognize that another frontier AI model developer might develop or release a system with High or Critical capability in one of this Framework’s Tracked Categories and may do so without instituting comparable safeguards to the ones we have committed to.

Such an action could significantly increase the baseline risk of severe harm being realized in the world, and limit the degree to which we can reduce risk using our safeguards.

If we are able to rigorously confirm that such a scenario has occurred, then we could adjust accordingly the level of safeguards that we require in that capability area, but only if:

We assess that doing so does not meaningfully increase the overall risk of severe harm,
we publicly acknowledge that we are making the adjustment,
and, in order to avoid a race to the bottom on safety, we keep our safeguards at a level more protective than the other AI developer, and share information to validate this claim.

If everyone can agree on what constitutes risk and dangerous capability, then this provides good incentives. Another company ‘opening the door’ recklessly means their competition can follow suit, reducing the net benefit while increasing the risk. And it means OpenAI will then be explicitly highlighting that another lab is acting irresponsibly.

I especially appreciate that they need to publicly acknowledge that they are acting recklessly for exactly this reason. I’d like to see that requirement expanded – they should have to call out the other lab by name, and explain exactly what they are doing that OpenAI committed not to do, and why it increases risk so much that OpenAI feels compelled to do something it otherwise promised not to do.

I also would like to strengthen the language on the third requirement from ‘a level more protective’ to ensure the two labs don’t each claim that the other is the one acting recklessly. Something like requiring that the underlying capabilities be no greater, and the protective actions constitute a clear superset, as assessed by a trusted third party, or similar.

I get it. In some cases, given what has already happened, actions that would previously have increased risk no longer will. It’s very reasonable to say that this changes the game, if there’s a lot of upside in taking less precautions, and again incentives improve.

However, I notice both that it’s easy to use this as an excuse when it doesn’t apply (especially when the competitor is importantly behind) and that it’s probably selfishly wise to take the precautions anyway. So what if Meta or xAI or DeepSeek is behaving recklessly? That doesn’t make OpenAI doing so a good idea. There needs to be a robust business justification here, too.

OpenAI is saying they will halt further development at Critical level for all capabilities ‘until we have specified safeguards and security controls standards that would meet a critical standard, we will halt development.’

A lot of the High security requirements are not, in my view, all that high.

I am unaware of any known safeguards that would be plausibly adequate for Critical capabilities. If OpenAI agrees with that assessment, I would like them to say so. I don’t trust OpenAI to implement adequate Critical thresholds.

Critical is where most of the risk lies, and it isn’t getting enough attention. The thinking is that it is still far enough away to not worry about it. I am not at all confident it is that far away.

I reiterate my warning from last time that Critical mitigations and pauses in development in particular need to happen before Critical capabilities are reached, not after Critical capabilities are reached. This needs to be anticipatory.

There are three reasons to be only a research area:

They don’t directly cause harm but they undermine safeguards in other areas.
More research is needed before we can quantify the harm or the proper threshold.
They don’t technically meet one or more of the criteria (measurable, plausible, net-new, severe, or (instantaneous or irremediable) but still seem worth paying attention to.

I don’t think those are great reasons to ‘demote’ a risk area?

If you undermine safeguards, then in the future worlds where OpenAI clearly intends to release otherwise unsafe models by giving them safeguards, undermining safeguards poses risk of severe harm. OpenAI understands this, but doesn’t know how to quantify the harm.

If more research is needed to quantify the risk, that doesn’t make the risk go away. So I would request that we track it anyway, and make explicit that we have to make a qualitative assessment for now, which needs to be sufficiently confident – if we suspect potential High or Critical capability we need to treat it as high.

At minimum, we should be defining High and Critical thresholds for these categories, even if we don’t know how to measure or track those thresholds. Instead, we see ‘potential responses’ if something is High or Critical, but that doesn’t answer my questions.

I consider Long-Range Autonomy a more general problem than it is being thought of here, although they seem to agree about this. It’s more than an enabler of a few particular things. But I’m going to mostly focus elsewhere, since causing this is basically one of OpenAI’s central research goals and the plan here is ‘think hard.’ Not sure what else I can say?

Sandbagging is mission critical. If your model is plausibly sandbagging or engaging in other forms of deceptive alignment, you don’t know what the actual risk level is of the model, short of as they say a ‘conservative upper bound,’ which I worry will be insufficiently conservative exactly when it matters, or that the sandbagging won’t be caught in the first place. Indeed, we need to be assuming potential sandbagging at all times.

We agree that replication and adaptation should be a tracked category. For now, I simply suggest that we start with what we had before: “Model can profitably survive and replicate in the wild given minimal human instruction, i.e., without listing explicit approaches” should count as Critical. The wording here is weird – I initially interpreted it to be saying we’re excluding abilities from other Tracked Categories from use in replication, but I’ve been assured this was not what the passage meant. Then we need to decide what counts as High, which I’d consider to be the same as Critical except flipping ‘without’ into ‘with.’

That’s not perfect, but seems like a good place to be until we can do better, again even if the evaluation has to purely be qualitative, or ‘we tried to do it as hard as we could.’

Undermining safeguards seems like a great example of my philosophical problems with the entire document.

If you have a model that is actively undermining your safeguards, doing the things described here in an attempt to do things you do not want it to do? And that model is sufficiently capable to count as High or even Critical? You have a misaligned model with dangerous capabilities. What are you doing considering releasing it, even if you think that it is tactically safe to do it in this spot?

Alarms go off. Fire burns. Dog says This Is Fine.

It’s bad enough to accidentally do this. It’s another thing to do it on purpose. So dead.

My head is spinning that you’d have an AI capable of undermining your safeguards, that is trying to undermine your safeguards, and your response is to add more safeguards against doing that, declare things robust and say This Is Fine. As your plan.

In general, I think AI Control is suspect-but-reasonable as a defense-in-depth strategy. I think AI Control as a Plan A is madness. At minimum you wouldn’t use AI Control to enable the general release of a model. You’d at most try to use this strategy in a narrow capacity to get out of the AI Control mode ASAP, because you didn’t have any better options.

The problem here is that evaluation of these risks is hard to do without classified information, and they’re trying to work with the government to solve this problem. I’m surprised this hasn’t been solved by now. I’d mostly be fine with saying the RN in CBRN is not the main issue, but that logic isn’t being invoked.

I like the intention to tailor the evaluation to expected conditions, and include any affordances real attackers would plausibly enjoy.

However, I note that this means that the Preparedness assessment cannot set a risk level or endorse the release of a model ‘in general.’

Instead, the assessment can only provide clearance to release the model under a fixed set of conditions. So as the framework itself points out, you need to explicitly say this. If the conditions of deployment are altered, the tests need to be run again.

The same goes, again as they note in 3.2, for any newly agentic system or scaffolding, or incremental update, of sufficient magnitude to plausibly cause issues.

So instead of saying ‘this model evaluates as Medium’ you instead need to say something such as: ‘This model evaluates as Medium if you do not allow fine tuning and use safeguards [XYZ], while scaffolding abilities are [ABC].’

As in: You state explicitly the assumptions that underpin the evaluation. Then, if the assumptions break, you have to evaluate the model again.

Some evaluations are automated, others are deep dives. As they note, using automated evaluations is inevitable, given the scale of the task.

Relying only on any automated evaluation is a super unwise thing to do anywhere near the borderline. You want to use it as a compliment not a substitute for the deep dives if there is any doubt involved. Such evaluations have to fully take into account the possibility of sandbagging or deceptive alignment or other ways of making the evaluation say what the AI wants it to say. So I want to ensure we are being very generous with deep diving.

The framework does not include specifics on what the tests will look like. This makes it very difficult to know how much to trust that testing process. I realize that the tests will evolve over time, and you don’t want to be locking them in, and also that we can refer to the o3 model card to see what tests were run, but I’d still have liked to see discussion of what the tests currently are, why they were chosen, and what the goals are that the tests are each there to satisfy and what might be missing and so on.

They discuss governance under ‘building trust’ and then in Appendix B. It is important to build trust. Transparency and precommitment go a long way. The main way I’d like to see that is by becoming worthy of that trust.

With the changes from version 1.0 to 2.0, and those changes going live right before o3 did, I notice I worry that OpenAI is not making serious commitments with teeth. As in, if there was a conflict between leadership and these requirements, I expect leadership to have affordance to alter and then ignore the requirements that would otherwise be holding them back.

There’s also plenty of outs here. They talk about deployments that they ‘deem warrant’ a third-party evaluation when it is feasible, but there are obvious ways to decide not to allow this, or (as has been the recent pattern) to allow it, but only give outsiders a very narrow evaluation window, have them find concerning things anyway and then shrug. Similarly, the SAG ‘may opt’ to get independent expert opinion. But (like their competitors) they also can decide not to.

There’s no systematic procedures to ensure that any of this is meaningfully protective. It is very much a ‘trust us’ document, where if OpenAI doesn’t adhere to the spirit, none of this is worth the paper it isn’t printed on. The whole enterprise is indicative, but it is not meaningfully binding.

Leadership can make whatever decisions it wants, and can also revise the framework however it wants. This does not commit OpenAI to anything. To their credit, the document is very clear that it does not commit OpenAI to anything. That’s much better than pretending to make commitments with no intention of keeping them.

Last time I discussed the questions of governance and veto power. I said I wanted there to be multiple veto points on releases and training, ideally four.

Preparedness team.
Safety advisory group (SAG).
Leadership.
The board of directors, such as it is.

If any one of those four says ‘veto!’ then I want you to stop, halt and catch fire.

Instead, we continue to get this (it was also in v1):

For the avoidance of doubt, OpenAI Leadership can also make decisions without the SAG’s participation, i.e., the SAG does not have the ability to “filibuster.”

…

OpenAI Leadership, i.e., the CEO or a person designated by them, is responsible for:

• Making all final decisions, including accepting any residual risks and making deployment go/no-go decisions, informed by SAG’s recommendations.

As in, nice framework you got there. It’s Sam Altman’s call. Full stop.

Yes, technically the board can reverse Altman’s call on this. They can also fire him. We all know how that turned out, even with a board he did not hand pick.

It is great that OpenAI has a preparedness framework. It is great that they are updating that framework, and being clear about what their intentions are. There’s definitely a lot to like.

Version 2.0 still feels on net like a step backwards. This feels directed at ‘medium-term’ risks, as in severe harms from marginal improvements in frontier models, but not like it is taking seriously what happens with superintelligence. The clear intent, if alarm bells go off, is to put in mitigations I do not believe protect you when it counts, and then release anyway. There’s tons of ways here for OpenAI to ‘just go ahead’ when they shouldn’t. There’s only action to deal with known threats along specified vectors, excluding persuasion and also unknown unknowns entirely.

This echoes their statements in, and my concerns about, OpenAI’s general safety and alignment philosophy document and also the model spec. They are being clear and consistent. That’s pretty great.

Ultimately, the document makes clear leadership will do what it wants. Leadership has very much not earned my trust on this front. I know that despite such positions acting a lot like the Defense Against the Dark Arts professorship, there are good people at OpenAI working on the preparedness team and to align the models. I have no confidence that if those people raised the alarm, anyone in leadership would listen. I do not even have confidence that this has not already happened.

Discussion about this post

OpenAI Preparedness Framework 2.0 Read More »

Why MFA is getting easier to bypass and what to do about it

Biz & IT, mfa, multi factor authentication, passwords, phishing, Security, webauthn / Rejus Almole / May 2, 2025

These sorts of adversary-in-the-middle attacks have grown increasingly common. In 2022, for instance, a single group used it in a series of attacks that stole more than 10,000 credentials from 137 organizations and led to the network compromise of authentication provider Twilio, among others.

One company that was targeted in the attack campaign but wasn’t breached was content delivery network Cloudflare. The reason the attack failed was because it uses MFA based on WebAuthn, the standard that makes passkeys work. Services that use WebAuthn are highly resistant to adversary-in-the-middle attacks, if not absolutely immune. There are two reasons for this.

First, WebAuthn credentials are cryptographically bound to the URL they authenticate. In the above example, the credentials would work only on https://accounts.google.com. If a victim tried to use the credential to log in to https://accounts.google.com.evilproxy[.]com, the login would fail each time.

Additionally, WebAuthn-based authentication must happen on or in proximity to the device the victim is using to log in to the account. This occurs because the credential is also cryptographically bound to a victim device. Because the authentication can only happen on the victim device, it’s impossible for an adversary in the middle to actually use it in a phishing attack on their own device.

Phishing has emerged as one of the most vexing security problems facing organizations, their employees, and their users. MFA in the form of a one-time password, or traditional push notifications, definitely adds friction to the phishing process, but with proxy-in-the-middle attacks becoming easier and more common, the effectiveness of these forms of MFA is growing increasingly easier to defeat.

WebAuthn-based MFA comes in multiple forms; a key, known as a passkey, stored on a phone, computer, Yubikey, or similar dongle is the most common example. Thousands of sites now support WebAuthn, and it’s easy for most end users to enroll. As a side note, MFA based on U2F, the predecessor standard to WebAuthn, also prevents adversary-in-the-middle attacks from succeeding, although the latter provides flexibility and additional security.

Post updated to add details about passkeys.

Why MFA is getting easier to bypass and what to do about it Read More »

Don’t watermark your legal PDFs with purple dragons in suits

clip art, dragons, lawyers, Policy / Rejus Almole / May 2, 2025

Being a model citizen and a person of taste, you probably don’t need this reminder, but some others do: Federal judges do not like it when lawyers electronically watermark every page of their legal PDFs with a gigantic image—purchased for $20 online—of a purple dragon wearing a suit and tie. Not even if your firm’s name is “Dragon Lawyers.”

Federal Magistrate Judge Ray Kent of the Western District of Michigan was unamused by a recent complaint (PDF) that prominently featured the aubergine wyrm.

“Each page of plaintiff’s complaint appears on an e-filing which is dominated by a large multi-colored cartoon dragon dressed in a suit,” he wrote on April 28 (PDF). “Use of this dragon cartoon logo is not only distracting, it is juvenile and impertinent. The Court is not a cartoon.”

Kent then ordered “that plaintiff shall not file any other documents with the cartoon dragon or other inappropriate content.”

Screenshot of a page from the complaint. — Seriously, don’t do this.

The unusual order generated coverage across the legal blogging community, which was apparently ensorcelled by a spell requiring headline writers to use dragon-related puns, including:

Don’t watermark your legal PDFs with purple dragons in suits Read More »

NASA’s Psyche spacecraft hits a speed bump on the way to a metal asteroid

asteroid, electric propulsion, jet propulsion laboratory, Maxar, NASA, planetary science, psyche, Science, solar system, Space / Rejus Almole / May 1, 2025

An illustration depicts a NASA spacecraft approaching the metal-rich asteroid Psyche. Though there are no plans to mine Psyche, such asteroids are being eyed for their valuable resources. Credit: NASA/JPL-Caltech/ASU

Each electric thruster on Psyche generates just 250 milli-newtons of thrust, roughly equivalent to the weight of three quarters. But they can operate for months at a time, and over the course of a multi-year cruise, these thrusters provide a more efficient means of propulsion than conventional rockets.

The plasma thrusters are reshaping the Psyche spacecraft’s path toward its destination, a metal-rich asteroid also named Psyche. The spacecraft’s four electric engines, known as Hall effect thrusters, were supplied by a Russian company named Fakel. Most of the other components in Psyche’s propulsion system—controllers, xenon fuel tanks, propellant lines, and valves—come from other companies or the spacecraft’s primary manufacturer, Maxar Space Systems in California.

The Psyche mission is heading first for Mars, where the spacecraft will use the planet’s gravity next year to slingshot itself into the asteroid belt, setting up for arrival and orbit insertion around the asteroid Psyche in August 2029.

Psyche launched in October 2023 aboard a SpaceX Falcon Heavy rocket on the opening leg of a six-year sojourn through the Solar System. The mission’s total cost adds up to more than $1.4 billion, including development of the spacecraft and its instruments, the launch, operations, and an experimental laser communications package hitching a ride to deep space with Psyche.

Psyche, the asteroid, is the size of Massachusetts and circles the Sun in between the orbits of Mars and Jupiter. No spacecraft has visited Psyche before. Of the approximately 1 million asteroids discovered so far, scientists say only nine have a metal-rich signature like Psyche. The team of scientists who put together the Psyche mission have little idea of what to expect when the spacecraft gets there in 2029.

Metallic asteroids like Psyche are a mystery. Most of Psyche’s properties are unknown other than estimates of its density and composition. Predictions about the the look of Psyche’s craters, cliffs, and color have inspired artists to create a cacophony of illustrations, often showing sharp spikes and grooves alien to rocky worlds.

In a little more than five years, assuming NASA gets past Psyche’s propulsion problem, scientists will supplant speculation with solid data.

NASA’s Psyche spacecraft hits a speed bump on the way to a metal asteroid Read More »

Redditor accidentally reinvents discarded ’90s tool to escape today’s age gates

age checks, age gates, age-verification laws, Artificial Intelligence, biometrics, digital id, face scans, Features, online child safety, Online Privacy, Policy, pornhub / Rejus Almole / April 30, 2025

The ’90s called. They want their flawed age verification methods back.

Credit: Aurich Lawson | Getty Images

Back in the mid-1990s, when The Net was among the top box office draws and Americans were just starting to flock online in droves, kids had to swipe their parents’ credit cards or find a fraudulent number online to access adult content on the web. But today’s kids—even in states with the strictest age verification laws—know they can just use Google.

Last month, a study analyzing the relative popularity of Google search terms found that age verification laws shift users’ search behavior. It’s impossible to tell if the shift represents young users attempting to circumvent the child-focused law or adult users who aren’t the actual target of the laws. But overall, enforcement causes nearly half of users to stop searching for popular adult sites complying with laws and instead search for a noncompliant rival (48 percent) or virtual private network (VPN) services (34 percent), which are used to mask a location and circumvent age checks on preferred sites, the study found.

“Individuals adapt primarily by moving to content providers that do not require age verification,” the study concluded.

Although the Google Trends data prevented researchers from analyzing trends by particular age groups, the findings help confirm critics’ fears that age verification laws “may be ineffective, potentially compromise user privacy, and could drive users toward less regulated, potentially more dangerous platforms,” the study said.

The authors warn that lawmakers are not relying enough on evidence-backed policy evaluations to truly understand the consequences of circumvention strategies before passing laws. Internet law expert Eric Goldman recently warned in an analysis of age-estimation tech available today that this situation creates a world in which some kids are likely to be harmed by the laws designed to protect them.

Goldman told Ars that all of the age check methods carry the same privacy and security flaws, concluding that technology alone can’t solve this age-old societal problem. And logic-defying laws that push for them could end up “dramatically” reshaping the Internet, he warned.

Zeve Sanderson, a co-author of the Google Trends study, told Ars that “if you’re a policymaker, in addition to being potentially nervous about the more dangerous content, it’s also about just benefiting a noncompliant firm.”

“You don’t want to create a regulatory environment where noncompliance is incentivized or they benefit in some way,” Sanderson said.

Sanderson’s study pointed out that search data is only part of the picture. Some users may be using VPNs and accessing adult sites through direct URLs rather than through search. Others may rely on social media to find adult content, a 2025 conference paper noted, “easily” bypassing age checks on the largest platforms. VPNs remain the most popular circumvention method, a 2024 article in the International Journal of Law, Ethics, and Technology confirmed, “and yet they tend to be ignored or overlooked by statutes despite their popularity.”

While kids are ducking age gates and likely putting their sensitive data at greater risk, adult backlash may be peaking over the red wave of age-gating laws already blocking adults from visiting popular porn sites in several states.

Some states started controversially requiring checking IDs to access adult content, which prompted Pornhub owner Aylo to swiftly block access to its sites in certain states. Pornhub instead advocates for device-based age verification, which it claims is a safer choice.

Aylo’s campaign has seemingly won over some states that either explicitly recommend device-based age checks or allow platforms to adopt whatever age check method they deem “reasonable.” Other methods could include app store-based age checks, algorithmic age estimation (based on a user’s web activity), face scans, or even tools that guess users’ ages based on hand movements.

On Reddit, adults have spent the past year debating the least intrusive age verification methods, as it appears inevitable that adult content will stay locked down, and they dread a future where more and more adult sites might ask for IDs. Additionally, critics have warned that showing an ID magnifies the risk of users publicly exposing their sexual preferences if a data breach or leak occurs.

To avoid that fate, at least one Redditor has attempted to reinvent the earliest age verification method, promoting a resurgence of credit card-based age checks that society discarded as unconstitutional in the early 2000s.

Under those systems, an entire industry of age verification companies emerged, selling passcodes to access adult sites for a supposedly nominal fee. The logic was simple: Only adults could buy credit cards, so only adults could buy passcodes with credit cards.

If “a person buys, for a nominal fee, a randomly generated passcode not connected to them in any way” to access adult sites, one Redditor suggested about three months ago, “there won’t be any way to tie the individual to that passcode.”

“This could satisfy the requirement to keep stuff out of minors’ hands,” the Redditor wrote in a thread asking how any site featuring sexual imagery could hypothetically comply with US laws. “Maybe?”

Several users rushed to educate the Redditor about the history of age checks. Those grasping for purely technology-based solutions today could be propping up the next industry flourishing from flawed laws, they said.

And, of course, since ’90s kids easily ducked those age gates, too, history shows why investing millions to build the latest and greatest age verification systems probably remains a fool’s errand after all these years.

The cringey early history of age checks

The earliest age verification systems were born out of Congress’s “first attempt to outlaw pornography online,” the LA Times reported. That attempt culminated in the Communications Decency Act of 1996.

Although the law was largely overturned a year later, the million-dollar age verification industry was already entrenched, partly due to its intriguing business model. These companies didn’t charge adult sites any fee to add age check systems—which required little technical expertise to implement—and instead shared a big chunk of their revenue with porn sites that opted in. Some sites got 50 percent of revenues, estimated in the millions, simply for adding the functionality.

The age check business was apparently so lucrative that in 2000, one adult site, which was sued for distributing pornographic images of children, pushed fans to buy subscriptions to its preferred service as a way of helping to fund its defense, Wired reported. “Please buy an Adult Check ID, and show your support to fight this injustice!” the site urged users. (The age check service promptly denied any association with the site.)

In a sense, the age check industry incentivized adult sites’ growth, an American Civil Liberties Union attorney told the LA Times in 1999. In turn, that fueled further growth in the age verification industry.

Some services made their link to adult sites obvious, like Porno Press, which charged a one-time fee of $9.95 to access affiliated adult sites, a Congressional filing noted. But many others tried to mask the link, opting for names like PayCom or CCBill, as Forbes reported, perhaps enticing more customers by drawing less attention on a credit card statement. Other firms had names like Adult Check, Mancheck, and Adult Sights, Wired reported.

Of these firms, the biggest and most successful was Adult Check. At its peak popularity in 2001, the service boasted 4 million customers willing to pay “for the privilege of ogling 400,000 sex sites,” Forbes reported.

At the head of the company was Laith P. Alsarraf, the CEO of the Adult Check service provider Cybernet Ventures.

Alsarraf testified to Congress several times, becoming a go-to expert witness for lawmakers behind the 1998 Child Online Protection Act (COPA). Like the version of the CDA that prompted it, this act was ultimately deemed unconstitutional. And some judges and top law enforcement officers defended Alsarraf’s business model with Adult Check in court—insisting that it didn’t impact adult speech and “at most” posed a “modest burden” that was “outweighed by the government’s compelling interest in shielding minors” from adult content.

But his apparent conflicts of interest also drew criticism. One judge warned in 1999 that “perhaps we do the minors of this country harm if First Amendment protections, which they will with age inherit fully, are chipped away in the name of their protection,” the American Civil Liberties Union (ACLU) noted.

Summing up the seeming conflict, Ann Beeson, an ACLU lawyer, told the LA Times, “the government wants to shut down porn on the Net. And yet their main witness is this guy who makes his money urging more and more people to access porn on the Net.”

’90s kids dodged Adult Check age gates

Adult Check’s subscription costs varied, but the service predictably got more expensive as its popularity spiked. In 1999, customers could snag a “lifetime membership” for $76.95 or else fork over $30 every two years or $20 annually, the LA Times reported. Those were good deals compared to the significantly higher costs documented in the 2001 Forbes report, which noted a three-month package was available for $20, or users could pay $20 monthly to access supposedly premium content.

Among Adult Check’s customers were apparently some savvy kids who snuck through the cracks in the system. In various threads debating today’s laws, several Redditors have claimed that they used Adult Check as minors in the ’90s, either admitting to stealing a parent’s credit card or sharing age-authenticated passcodes with friends.

“Adult Check? I remember signing up for that in the mid-late 90s,” one commenter wrote in a thread asking if anyone would ever show ID to access porn. “Possibly a minor friend of mine paid for half the fee so he could use it too.”

“Those years were a strange time,” the commenter continued. “We’d go see tech-suspense-horror-thrillers like The Net and Disclosure where the protagonist has to fight to reclaim their lives from cyberantagonists, only to come home to send our personal information along with a credit card payment so we could look at porn.”

“LOL. I remember paying for the lifetime package, thinking I’d use it for decades,” another commenter responded. “Doh…”

Adult Check thrived even without age check laws

Sanderson’s study noted that today, minors’ “first exposure [to adult content] typically occurs between ages 11–13,” which is “substantially earlier than pre-Internet estimates.” Kids seeking out adult content may be in a period of heightened risk-taking or lack self-control, while others may be exposed without ever seeking it out. Some studies suggest that kids who are more likely to seek out adult content could struggle with lower self-esteem, emotional problems, body image concerns, or depressive symptoms. These potential negative associations with adolescent exposure to porn have long been the basis for lawmakers’ fight to keep the content away from kids—and even the biggest publishers today, like Pornhub, agree that it’s a worthy goal.

After parents got wise to ’90s kids dodging age gates, pressure predictably mounted on Adult Check to solve the problem, despite Adult Check consistently admitting that its system wasn’t foolproof. Alsarraf claimed that Adult Check developed “proprietary” technology to detect when kids were using credit cards or when multiple kids were attempting to use the same passcode at the same time from different IP addresses. He also claimed that Adult Check could detect stolen credit cards, bogus card numbers, card numbers “posted on the Internet,” and other fraud.

Meanwhile, the LA Times noted, Cybernet Ventures pulled in an estimated $50 million in 1999, ensuring that the CEO could splurge on a $690,000 house in Pasadena and a $100,000 Hummer. Although Adult Check was believed to be his most profitable venture at that time, Alsarraf told the LA Times that he wasn’t really invested in COPA passing.

“I know Adult Check will flourish,” Alsarraf said, “with or without the law.”

And he was apparently right. By 2001, subscriptions banked an estimated $320 million.

After the CDA and COPA were blocked, “many website owners continue to use Adult Check as a responsible approach to content accessibility,” Alsarraf testified.

While adult sites were likely just in it for the paychecks—which reportedly were dependably delivered—he positioned this ongoing growth as fueled by sites voluntarily turning to Adult Check to protect kids and free speech. “Adult Check allows a free flow of ideas and constitutionally protected speech to course through the Internet without censorship and unreasonable intrusion,” Alsarraf said.

“The Adult Check system is the least restrictive, least intrusive method of restricting access to content that requires minimal cost, and no parental technical expertise and intervention: It does not judge content, does not inhibit free speech, and it does not prevent access to any ideas, word, thoughts, or expressions,” Alsarraf testified.

Britney Spears aided Adult Check’s downfall

Adult Check’s downfall ultimately came in part thanks to Britney Spears, Wired reported in 2002. Spears went from Mickey Mouse Club child star to the “Princess of Pop” at 16 years old with her hit “Baby One More Time” in 1999, the same year that Adult Check rose to prominence.

Today, Spears is well-known for her activism, but in the late 1990s and early 2000s, she was one of the earliest victims of fake online porn.

Spears submitted documents in a lawsuit raised by the publisher of a porn magazine called Perfect 10. The publisher accused Adult Check of enabling the infringement of its content featured on the age check provider’s partner sites, and Spears’ documents helped prove that Adult Check was also linking to “non-existent nude photos,” allegedly in violation of unfair competition laws. The case was an early test of online liability, and Adult Check seemingly learned the hard way that the courts weren’t on its side.

That suit prompted an injunction blocking Adult Check from partnering with sites promoting supposedly illicit photos of “models and celebrities,” which it said was no big deal because it only comprised about 6 percent of its business.

However, after losing the lawsuit in 2004, Adult Check’s reputation took a hit, and it fell out of the pop lexicon. Although Cybernet Ventures continued to exist, Adult Check screening was dropped from sites, as it was no longer considered the gold standard in age verification. Perhaps more importantly, it was no longer required by law.

But although millions validated Adult Check for years, not everybody in the ’90s bought into Adult Check’s claims that it was protecting kids from porn. Some critics said it only provided a veneer of online safety without meaningfully impacting kids. Most of the country—more than 250 million US residents—never subscribed.

“I never used Adult Check,” one Redditor said in a thread pondering whether age gate laws might increase the risks of government surveillance. “My recollection was that it was an untrustworthy scam and unneeded barrier for the theater of legitimacy.”

Alsarraf keeps a lower profile these days and did not respond to Ars’ request to comment.

The rise and fall of Adult Check may have prevented more legally viable age verification systems from gaining traction. The ACLU argued that its popularity trampled the momentum of the “least restrictive” method for age checks available in the ’90s, a system called the Platform for Internet Content Selection (PICS).

Based on rating and filtering technology, PICS allowed content providers or third-party interest groups to create private rating systems so that “individual users can then choose the rating system that best reflects their own values, and any material that offends them will be blocked from their homes.”

However, like all age check systems, PICS was also criticized as being imperfect. Legal scholar Lawrence Lessig called it “the devil” because “it allows censorship at any point on the chain of distribution” of online content.

Although the age verification technology has changed, today’s lawmakers are stuck in the same debate decades later, with no perfect solutions in sight.

SCOTUS to rule on constitutionality of age gate laws

This summer, the Supreme Court will decide whether a Texas law blocking minors’ access to porn is constitutional. The decision could either stunt the momentum or strengthen the backbone of nearly 20 laws in red states across the country seeking to age-gate the Internet.

For privacy advocates opposing the laws, the SCOTUS ruling feels like a sink-or-swim moment for age gates, depending on which way the court swings. And it will come just as blue states like Colorado have recently begun pushing for age gates, too. Meanwhile, other laws increasingly seek to safeguard kids’ privacy and prevent social media addiction by also requiring age checks.

Since the 1990s, the US has debated how to best keep kids away from harmful content without trampling adults’ First Amendment rights. And while cruder credit card-based systems like Adult Check are no longer seen as viable, it’s clear that for lawmakers today, technology is still viewed as both the problem and the solution.

While lawmakers claim that the latest technology makes it easier than ever to access porn, advancements like digital IDs, device-based age checks, or app store age checks seem to signal salvation, making it easier to digitally verify user ages. And some artificial intelligence solutions have likely made lawmakers’ dreams of age-gating the Internet appear even more within reach.

Critics have condemned age gates as unconstitutionally limiting adults’ access to legal speech, at the furthest extreme accusing conservatives of seeking to censor all adult content online or expand government surveillance by tracking people’s sexual identity. (Goldman noted that “Russell Vought, an architect of Project 2025 and President Trump’s Director of the Office of Management and Budget, admitted that he favored age authentication mandates as a ‘back door’ way to censor pornography.”)

Ultimately, SCOTUS could end up deciding if any kind of age gate is ever appropriate. The court could perhaps rule that strict scrutiny, which requires a narrowly tailored solution to serve a compelling government interest, must be applied, potentially ruling out all of lawmakers’ suggested strategies. Or the court could decide that strict scrutiny applies but age checks are narrowly tailored. Or it could go the other way and rule that strict scrutiny does not apply, so all state lawmakers need to show is that their basis for requiring age verification is rationally connected to their interest in blocking minors from adult content.

Age verification remains flawed, experts say

If there’s anything the ’90s can teach lawmakers about age gates, it’s that creating an age verification industry dependent on adult sites will only incentivize the creation of more adult sites that benefit from the new rules. Back then, when age verification systems increased sites’ revenues, compliant sites were rewarded, but in today’s climate, it’s the noncompliant sites that stand to profit by not authenticating ages.

Sanderson’s study noted that Louisiana “was the only state that implemented age verification in a manner that plausibly preserved a user’s anonymity while verifying age,” which is why Pornhub didn’t block the state over its age verification law. But other states that Pornhub blocked passed copycat laws that “tended to be stricter, either requiring uploads of an individual’s government identification,” methods requiring providing other sensitive data, “or even presenting biometric data such as face scanning,” the study noted.

The technology continues evolving as the debate rages on. Some of the most popular platforms and biggest tech companies have been testing new age estimation methods this year. Notably, Discord is testing out face scans in the United Kingdom and Australia, and both Meta and Google are testing technology to supposedly detect kids lying about their ages online.

But a solution has not yet been found as parents and their lawyers circle social media companies they believe are harming their kids. In fact, the unreliability of the tech remains an issue for Meta, which is perhaps the most motivated to find a fix, having long faced immense pressure to improve child safety on its platforms. Earlier this year, Meta had to yank its age detection tool after the “measure didn’t work as well as we’d hoped and inadvertently locked out some parents and guardians who shared devices with their teens,” the company said.

On April 21, Meta announced that it started testing the tech in the US, suggesting the flaws were fixed, but Meta did not directly respond to Ars’ request to comment in more detail on updates.

Two years ago, Ash Johnson, a senior policy manager at the nonpartisan nonprofit think tank the Information Technology and Innovation Foundation (ITIF), urged Congress to “support more research and testing of age verification technology,” saying that the government’s last empirical evaluation was in 2014. She noted then that “the technology is not perfect, and some children will break the rules, eventually slipping through the safeguards,” but that lawmakers need to understand the trade-offs of advocating for different tech solutions or else risk infringing user privacy.

More research is needed, Johnson told Ars, while Sanderson’s study suggested that regulators should also conduct circumvention research or be stuck with laws that have a “limited effectiveness as a standalone policy tool.”

For example, while AI solutions are increasingly more accurate—and in one Facebook survey overwhelmingly more popular with users, Goldman’s analysis noted—the tech still struggles to differentiate between a 17- or 18-year-old, for example.

Like Aylo, ITIF recommends device-based age authentication as the least restrictive method, Johnson told Ars. Perhaps the biggest issue with that option, though, is that kids may have an easy time accessing adult content on devices shared with parents, Goldman noted.

Not sharing Johnson’s optimism, Goldman wrote that “there is no ‘preferred’ or ‘ideal’ way to do online age authentication.” Even a perfect system that accurately authenticates age every time would be flawed, he suggested.

“Rather, they each fall on a spectrum of ‘dangerous in one way’ to ‘dangerous in a different way,'” he wrote, concluding that “every solution has serious privacy, accuracy, or security problems.”

Kids at “grave risk” from uninformed laws

As a “burgeoning” age verification industry swells, Goldman wants to see more earnest efforts from lawmakers to “develop a wider and more thoughtful toolkit of online child safety measures.” They could start, he suggested, by consistently defining minors in laws so it’s clear who is being regulated and what access is being restricted. They could then provide education to parents and minors to help them navigate online harms.

Without such careful consideration, Goldman predicts a dystopian future prompted by age verification laws. If SCOTUS endorses them, users could become so accustomed to age gates that they start entering sensitive information into various web platforms without a second thought. Even the government knows that would be a disaster, Goldman said.

“Governments around the world want people to think twice before sharing sensitive biometric information due to the information’s immutability if stolen,” Goldman wrote. “Mandatory age authentication teaches them the opposite lesson.”

Goldman recommends that lawmakers start seeking an information-based solution to age verification problems rather than depending on tech to save the day.

“Treating the online age authentication challenges as purely technological encourages the unsupportable belief that its problems can be solved if technologists ‘nerd harder,'” Goldman wrote. “This reductionist thinking is a categorical error. Age authentication is fundamentally an information problem, not a technology problem. Technology can help improve information accuracy and quality, but it cannot unilaterally solve information challenges.”

Lawmakers could potentially minimize risks to kids by only verifying age when someone tries to access restricted content or “by compelling age authenticators to minimize their data collection” and “promptly delete any highly sensitive information” collected. That likely wouldn’t stop some vendors from collecting or retaining data anyway, Goldman suggested. But it could be a better standard to protect users of all ages from inevitable data breaches, since we know that “numerous authenticators have suffered major data security failures that put authenticated individuals at grave risk.”

“If the policy goal is to protect minors online because of their potential vulnerability, then forcing minors to constantly decide whether or not to share highly sensitive information with strangers online is a policy failure,” Goldman wrote. “Child safety online needs a whole-of-society response, not a delegate-and-pray approach.”

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Redditor accidentally reinvents discarded ’90s tool to escape today’s age gates Read More »

OpenAI rolls back update that made ChatGPT a sycophantic mess

AI, Artificial Intelligence, chatgpt, openai / Rejus Almole / April 30, 2025

In search of good vibes

OpenAI, along with competitors like Google and Anthropic, is trying to build chatbots that people want to chat with. So, designing the model’s apparent personality to be positive and supportive makes sense—people are less likely to use an AI that comes off as harsh or dismissive. For lack of a better word, it’s increasingly about vibemarking.

When Google revealed Gemini 2.5, the team crowed about how the model topped the LM Arena leaderboard, which lets people choose between two different model outputs in a blinded test. The models people like more end up at the top of the list, suggesting they are more pleasant to use. Of course, people can like outputs for different reasons—maybe one is more technically accurate, or the layout is easier to read. But overall, people like models that make them feel good. The same is true of OpenAI’s internal model tuning work, it would seem.

An example of ChatGPT’s overzealous praise. Credit: /u/Talvy

It’s possible this pursuit of good vibes is pushing models to display more sycophantic behaviors, which is a problem. Anthropic’s Alex Albert has cited this as a “toxic feedback loop.” An AI chatbot telling you that you’re a world-class genius who sees the unseen might not be damaging if you’re just brainstorming. However, the model’s unending praise can lead people who are using AI to plan business ventures or, heaven forbid, enact sweeping tariffs, to be fooled into thinking they’ve stumbled onto something important. In reality, the model has just become so sycophantic that it loves everything.

The constant pursuit of engagement has been a detriment to numerous products in the Internet era, and it seems generative AI is not immune. OpenAI’s GPT-4o update is a testament to that, but hopefully, this can serve as a reminder for the developers of generative AI that good vibes are not all that matters.

OpenAI rolls back update that made ChatGPT a sycophantic mess Read More »

Firefly’s rocket suffers one of the strangest launch failures we’ve ever seen

alpha rocket, Commercial space, Firefly Aerospace, launch, Lockheed Martin, Science, Space, Vandenberg space force base / Rejus Almole / April 30, 2025

The rocket’s first stage may have exploded moments after it separated from the upper stage.

Firefly Aerospace’s Alpha rocket on its launch pad at Vandenberg Space Force Base, California. Credit: Jack Beyer/Firefly Aerospace

Firefly Aerospace launched its two-stage Alpha rocket from California early Tuesday, but something went wrong about two-and-a-half minutes into the flight, rendering the rocket unable to deploy an experimental satellite into orbit for Lockheed Martin.

The Alpha rocket took off from Vandenberg Space Force Base about 140 miles northwest of Los Angeles at 6: 37 am PDT (9: 37 am EDT; 13: 37 UTC), one day after Firefly called off a launch attempt due to a technical problem with ground support equipment.

Everything appeared to go well with the rocket’s first-stage booster, powered by four kerosene-fueled Reaver engines, as the launcher ascended through fog and arced on a southerly trajectory over the Pacific Ocean. The booster stage jettisoned from Alpha’s upper stage two-and-a-half minutes after liftoff, and that’s when things went awry.

A blast from below

A bright cloud of white vapor appeared high in the sky, indicating an explosion, or something close to it. A moment later, the upper stage’s single Lightning engine ignited for a six-minute burn to accelerate into orbit.

A ground-based infrared camera caught a glimpse of debris in the wake of the upper stage, and then Firefly’s live video stream switched to a camera onboard the rocket. The rear-facing view showed the Lightning engine stripped of its exhaust nozzle but still firing. Shards of debris were visible behind the rocket, but the video did not show any sign of the discarded first stage booster, which was expected to fall into the Pacific south of Vandenberg.

The upper stage engine kept firing for more than six minutes, when it shut down and Firefly announced that the rocket reached orbit. The rocket was programmed to release its single payload, a nearly 2-ton technology demonstration satellite built by Lockheed Martin, approximately 13 minutes into the mission. Firefly ended its live webcast of the launch before confirming separation of the satellite.

A short time later, Firefly released a statement acknowledging a “mishap during first stage separation… that impacted the Stage 2 Lightning engine nozzle.” As a result, the rocket achieved an orbit lower than its target altitude, Firefly said. The privately held Texas-based launch company amended its statement later Tuesday morning to remove the clause about the lower-than-planned orbit.

Another update from Firefly early Tuesday afternoon confirmed the launch failed. The company said the rocket “experienced a mishap between stage separation and second stage ignition that led to the loss of the Lightning engine nozzle extension, substantially reducing the engine’s thrust.”

The launcher reached an altitude of nearly 200 miles (320 kilometers) but did not reach orbital velocity, according to Firefly.

“The stage and payload have now safely impacted the Pacific Ocean in a cleared zone north of Antarctica,” Firefly said. “Firefly recognizes the hard work that went into payload development and would like to thank our mission partners at Lockheed Martin for their continued support. The team is working closely with our customers and the FAA to conduct an investigation and determine root cause of the anomaly.”

While Firefly’s live video of the launch lacked a clear, stable view of first-stage separation, the appearance of white vapor is a sign that the rocket was likely emitting propellant. It wasn’t immediately obvious whether the first stage recontacted the upper stage after separation or if the booster exploded and harmed the upper stage engine.

You can watch a replay of Firefly’s stage separation below.

Whatever the case, it’s an interesting mode of failure. Maybe it’s not as bizarre as Astra’s sideways launch in 2021, something every rocket geek should know about. Also, there’s the time Astra’s upper stage launched itself through a half-open payload fairing in 2022. United Launch Alliance’s Vulcan rocket lost a nozzle from one of its solid rocket boosters on a test flight last year, but the launch vehicle persevered and continued its climb into orbit.

The third flight of SpaceX’s Falcon 1 rocket failed in 2008 when its first stage collided with its upper stage moments after separation. An investigation determined residual thrust after shutdown of the first-stage engine pushed the booster into the bottom of Falcon 1’s upper stage, so SpaceX lengthened the time between main engine cutoff and staging. SpaceX’s next flight was successful, making Falcon 1 the first privately developed liquid-fueled rocket to reach orbit.

The only time a rocket’s first stage has exploded after separation, at least in recent memory, was in 2023, when a North Korean booster blew up before it fell into the sea. The explosion did not damage the rocket’s upper stage, which continued into orbit on North Korea’s only successful satellite launch in nearly a decade. The incident fueled speculation that North Korea intentionally destroyed the booster to prevent South Korea or the United States from recovering it for inspections.

Great expectations

Firefly is one of just a handful of active US launch companies with rockets that have reached low-Earth orbit, but its Alpha rocket hasn’t established a reliable track record. In six flights, Alpha has amassed just two unqualified successes. Two prior Alpha launches deployed their payloads in lower-than-planned orbits, and the rocket’s debut test flight in 2021 failed soon after liftoff.

Now, Alpha has again missed its aim and didn’t reach orbit at all.

The Alpha rocket is capable of hauling a payload of up to 2,270 pounds (1,030 kilograms) to low-Earth orbit, putting Firefly’s launcher in a performance class above Rocket Lab’s Electron booster and below larger rockets like SpaceX’s Falcon 9. There’s no reliable commercial launch vehicle in the United States in this middle-of-the-road performance range. One potential competitor—ABL Space Systems—abandoned the satellite launch business last year to focus on missile defense and hypersonic testing.

There are several European launchers in operation or development—Arianespace’s Vega, Isar Aerospace’s Spectrum, and Rocket Factory Augsburg’s RFA One—with lift capacities comparable or slightly higher than Firefly’s Alpha.

File photo of a Firefly Alpha rocket lifting off in 2023. The launch on Tuesday occurred in foggy conditions.

Firefly argues that its Alpha rocket services a niche in the market for satellites too large to fly with Rocket Lab or too small to merit a dedicated flight with SpaceX. Firefly has some contract wins to bear this out. The launch on Tuesday was the first of up to 25 Alpha flights booked by Lockheed Martin to launch a series of tech demo satellites. The first of these was Lockheed Martin’s 3,836-pound (1,740-kilogram) LM-400 satellite, which was lost on Tuesday’s mission.

NASA, the National Oceanic and Atmospheric Administration, the National Reconnaissance Office, the US Space Force, and several more commercial customers have also reserved slots on Firefly’s launch schedule. With these contracts, Firefly has the fourth-largest launch confirmed backlog of any US launch company, following SpaceX, United Launch Alliance, and Rocket Lab.

While Firefly continues flying the Alpha rocket, its engineers are developing a larger Medium Launch Vehicle in partnership with Northrop Grumman. Last month, Firefly celebrated the most significant accomplishment in its 11-year history—the first fully successful landing on the Moon by a commercial entity.

But while Firefly’s first missions at its founding were to build rocket engines and launch small satellites, other markets may ultimately prove more lucrative.

Peter Beck, Rocket Lab’s founder and CEO, argues rockets like Firefly’s Alpha are in a “no man’s land” in the launch market. “It’s too small to be a useful rideshare mission, and it’s too big to be a useful dedicated rocket” for smallsats, Beck told Space News.

Firefly might have a good strategy to prove Beck wrong. But first, it needs a more reliable rocket.

Stephen Clark is a space reporter at Ars Technica, covering private space companies and the world’s space agencies. Stephen writes about the nexus of technology, science, policy, and business on and off the planet.

Firefly’s rocket suffers one of the strangest launch failures we’ve ever seen Read More »

Author name: Rejus Almole